TinyTurlaNG – INDIA NEWS http://www.indiavpn.org News Blog Thu, 21 Mar 2024 17:28:23 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 Russia Hackers Using TinyTurla-NG to Breach European NGO’s Systems http://www.indiavpn.org/2024/03/21/russia-hackers-using-tinyturla-ng-to-breach-european-ngos-systems/ http://www.indiavpn.org/2024/03/21/russia-hackers-using-tinyturla-ng-to-breach-european-ngos-systems/#respond Thu, 21 Mar 2024 17:28:23 +0000 https://www.indiavpn.org/2024/03/21/russia-hackers-using-tinyturla-ng-to-breach-european-ngos-systems/ [ad_1]

Mar 21, 2024NewsroomThreat Intelligence / Malware

Russia Hackers

The Russia-linked threat actor known as Turla infected several systems belonging to an unnamed European non-governmental organization (NGO) in order to deploy a backdoor called TinyTurla-NG.

“The attackers compromised the first system, established persistence and added exclusions to antivirus products running on these endpoints as part of their preliminary post-compromise actions,” Cisco Talos said in a new report published today.

“Turla then opened additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network.”

There is evidence indicating that the infected systems were breached as early as October 2023, with Chisel deployed in December 2023 and data exfiltrating taking place via the tool a month later, around January 12, 2024.

Cybersecurity

TinyTurla-NG was first documented by the cybersecurity company last month after it was found to be used in connection with a cyber attack targeting a Polish NGO working on improving Polish democracy and supporting Ukraine during the Russian invasion.

Cisco Talos told The Hacker News at the time that the campaign appears to be highly targeted and focused on a small number of organizations, most of which are located in Poland.

Russia Hackers

The attack chain involves Turla exploiting their initial access to configure Microsoft Defender antivirus exclusions to evade detection and drop TinyTurla-NG, which is then persisted by creating a malicious “sdm” service that masquerades as a “System Device Manager” service.

TinyTurla-NG acts as a backdoor to conduct follow-on reconnaissance, exfiltrate files of interest to a command-and-control (C2) server, and deploy a custom-built version of the Chisel tunneling software. The exact intrusion pathway is still being investigated.

“Once the attackers have gained access to a new box, they will repeat their activities to create Microsoft Defender exclusions, drop the malware components, and create persistence,” Talos researchers said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



[ad_2]

Source link

]]>
http://www.indiavpn.org/2024/03/21/russia-hackers-using-tinyturla-ng-to-breach-european-ngos-systems/feed/ 0
Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor http://www.indiavpn.org/2024/02/15/russian-turla-hackers-target-polish-ngos-with-new-tinyturla-ng-backdoor/ http://www.indiavpn.org/2024/02/15/russian-turla-hackers-target-polish-ngos-with-new-tinyturla-ng-backdoor/#respond Thu, 15 Feb 2024 16:44:35 +0000 https://www.indiavpn.org/2024/02/15/russian-turla-hackers-target-polish-ngos-with-new-tinyturla-ng-backdoor/ [ad_1]

Feb 15, 2024NewsroomMalware / Cyber Espionage

Russian Turla Hackers

The Russia-linked threat actor known as Turla has been observed using a new backdoor called TinyTurla-NG as part of a three-month-long campaign targeting Polish non-governmental organizations in December 2023.

“TinyTurla-NG, just like TinyTurla, is a small ‘last chance’ backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems,” Cisco Talos said in a technical report published today.

TinyTurla-NG is so named for exhibiting similarities with TinyTurla, another implant used by the adversarial collective in intrusions aimed at the U.S., Germany, and Afghanistan since at least 2020. TinyTurla was first documented by the cybersecurity company in September 2021.

Cybersecurity

Turla, also known by the names Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, Uroburos, and Venomous Bear, is a Russian state-affiliated threat actor linked to the Federal Security Service (FSB).

In recent months, the threat actor has singled out the defense sector in Ukraine and Eastern Europe with a novel .NET-based backdoor called DeliveryCheck, while also upgrading its staple second-stage implant referred to as Kazuar, which it has put to use as early as 2017.

The latest campaign involving TinyTurla-NG dates back to December 18, 2023, and is said to have been ongoing up until January 27, 2024. However, it’s suspected that the activity may have actually commenced in November 2023 based on the malware compilation dates.

It’s currently not known how the backdoor is distributed to victim environments, but it has been found to employ compromised WordPress-based websites as command-and-control (C2) endpoints to fetch and execute instructions, enabling it to run commands via PowerShell or Command Prompt (cmd.exe) as well as download/upload files.

Cybersecurity

TinyTurla-NG also acts as a conduit to deliver PowerShell scripts dubbed TurlaPower-NG that are designed to exfiltrate key material used to secure the password databases of popular password management software in the form of a ZIP archive.

The disclosure comes as Microsoft and OpenAI revealed that nation-state actors from Russia are exploring generative artificial intelligence (AI) tools, including large language models (LLMs) like ChatGPT, to understand satellite communication protocols, radar imaging technologies, and seek support with scripting tasks.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



[ad_2]

Source link

]]>
http://www.indiavpn.org/2024/02/15/russian-turla-hackers-target-polish-ngos-with-new-tinyturla-ng-backdoor/feed/ 0